|
sponsored links |
|
|
sponsored links
|
|
1
15th June 04:16
External User
Posts: 1
|
#38248 : PHP ip2long() function cir***vention
From: rgod at autistici dot org
Operating system: all PHP version: 5.1.4 PHP Bug Type: *Network Functions Bug description: PHP ip2long() function cir***vention Description: ------------ --- PHP ip2long() function cir***vention -------------------------------------- tested on php 5.0.2 " 4.3.3 -------------------------------------------------------------------------------- after some test on miniBB application (http://www.minibb.net/) I obtained that the php ip2long() function can be tricked to return a valid IPv4 Internet network address instead of "-1" even if the ip address argument is not a valid one, through the injection of some chars, ex: <?php for ($i=0; $i<=255; $i++) { echo $i.":".ip2long("1.1.1.1".chr($i)."'or'a'='a'/*")."\r\n"; } ?> when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or chr(32) it gives the following (valid) result: 16843009 in minibb case this could result in sql injection, f****ng an header like this: X-FORWARDED-FOR: 1.1.1.1[CHR(9)]'[SQL CODE] or even like this: X-FORWARDED-FOR: 1[CHR(9)]'[SQL CODE] (however Minibb limit the string to 15 chars so you will have an unuseful twelve chars sql injection...) also remember that HTTP headers is not filtered by PHP magic_quotes_gpc, so this could give an attacker the way to fully compromise an application code taken from MiniBB 2.0 index.php, 248-264 /* Banned IPs/IDs stuff */ $thisIp=getIP(); <--------------------- here $thisIp becomes our sql code $cen=explode('.', $thisIp); if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){ $thisIpMask[0]=$cen[0].'.'.$cen[1].'.'.$cen[2].'.+'; $thisIpMask[1]=$cen[0].'.'.$cen[1].'.+'; } else { $thisIpMask[0]='0.0.0.+'; $thisIpMask[1]='0.0.0.+'; } if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<----------- $thisIp is passed to the db_ipCheck() function $title=$sitename." :: ".$l_accessDenied; echo ParseTpl(makeUp('main_access_denied')); exit; } bb_functions.php, near lines 123-131 //---------------> function getIP(){ $ip1=getenv('REMOTE_ADDR');$ip2=getenv('HTTP_X_FOR WARDED_FOR'); if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1; //<-- vulnerable code $finalIP=substr($finalIP,0,15); return $finalIP; } //---------------> setup_mysql.php, near lines 99-105: function db_ipCheck($thisIp,$thisIpMask,$user_id){ $res=mysql_query('select id from '.$GLOBALS['Tb'].' where banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql injection banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'"); echo mysql_error(); if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE; } -------------------------------------------------------------------------------- 1.05 29/07/2006 rgod http://retrogod.altervista.org/php_ip2long.html -------------------------------------------------------------------------------- -- Edit bug report at http://bugs.php.net/?id=38248&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=38248&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=38248&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=38248&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=38248&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=38248&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=38248&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=38248&r=needscript Try newer version: http://bugs.php.net/fix.php?id=38248&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=38248&r=support Expected behavior: http://bugs.php.net/fix.php?id=38248&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=38248&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=38248&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=38248&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=38248&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=38248&r=dst IIS Stability: http://bugs.php.net/fix.php?id=38248&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=38248&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=38248&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=38248&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=38248&r=mysqlcfg |
|
|
|
2
15th June 04:16
External User
Posts: 1
|
#38248 : PHP ip2long() function cir***vention
ID: 38248
User updated by: rgod at autistici dot org Reported By: rgod at autistici dot org Status: Open Bug Type: *Network Functions Operating System: all PHP Version: 5.1.4 New Comment: confirmed even on 5.1.4 Previous Comments: ------------------------------------------------------------------------ [2006-07-29 09:04:30] rgod at autistici dot org Description: ------------ --- PHP ip2long() function cir***vention -------------------------------------- tested on php 5.0.2 " 4.3.3 -------------------------------------------------------------------------------- after some test on miniBB application (http://www.minibb.net/) I obtained that the php ip2long() function can be tricked to return a valid IPv4 Internet network address instead of "-1" even if the ip address argument is not a valid one, through the injection of some chars, ex: <?php for ($i=0; $i<=255; $i++) { echo $i.":".ip2long("1.1.1.1".chr($i)."'or'a'='a'/*")."\r\n"; } ?> when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or chr(32) it gives the following (valid) result: 16843009 in minibb case this could result in sql injection, f****ng an header like this: X-FORWARDED-FOR: 1.1.1.1[CHR(9)]'[SQL CODE] or even like this: X-FORWARDED-FOR: 1[CHR(9)]'[SQL CODE] (however Minibb limit the string to 15 chars so you will have an unuseful twelve chars sql injection...) also remember that HTTP headers is not filtered by PHP magic_quotes_gpc, so this could give an attacker the way to fully compromise an application code taken from MiniBB 2.0 index.php, 248-264 /* Banned IPs/IDs stuff */ $thisIp=getIP(); <--------------------- here $thisIp becomes our sql code $cen=explode('.', $thisIp); if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){ $thisIpMask[0]=$cen[0].'.'.$cen[1].'.'.$cen[2].'.+'; $thisIpMask[1]=$cen[0].'.'.$cen[1].'.+'; } else { $thisIpMask[0]='0.0.0.+'; $thisIpMask[1]='0.0.0.+'; } if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<----------- $thisIp is passed to the db_ipCheck() function $title=$sitename." :: ".$l_accessDenied; echo ParseTpl(makeUp('main_access_denied')); exit; } bb_functions.php, near lines 123-131 //---------------> function getIP(){ $ip1=getenv('REMOTE_ADDR');$ip2=getenv('HTTP_X_FOR WARDED_FOR'); if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1; //<-- vulnerable code $finalIP=substr($finalIP,0,15); return $finalIP; } //---------------> setup_mysql.php, near lines 99-105: function db_ipCheck($thisIp,$thisIpMask,$user_id){ $res=mysql_query('select id from '.$GLOBALS['Tb'].' where banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql injection banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'"); echo mysql_error(); if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE; } -------------------------------------------------------------------------------- 1.05 29/07/2006 rgod http://retrogod.altervista.org/php_ip2long.html -------------------------------------------------------------------------------- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=38248&edit=1 |
|
|
|
3
15th June 04:17
External User
Posts: 1
|
#38248 : PHP ip2long() function cir***vention
ID: 38248
Updated by: iliaa@php.net Reported By: rgod at autistici dot org -Status: Open +Status: Bogus Bug Type: *Network Functions Operating System: all PHP Version: 5.1.4 New Comment: Thank you for taking the time to write to us, but this is not a bug. Please double-check the do***entation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php inet_addr() is not binary safe. Previous Comments: ------------------------------------------------------------------------ [2006-07-29 09:06:09] rgod at autistici dot org confirmed even on 5.1.4 ------------------------------------------------------------------------ [2006-07-29 09:04:30] rgod at autistici dot org Description: ------------ --- PHP ip2long() function cir***vention -------------------------------------- tested on php 5.0.2 " 4.3.3 -------------------------------------------------------------------------------- after some test on miniBB application (http://www.minibb.net/) I obtained that the php ip2long() function can be tricked to return a valid IPv4 Internet network address instead of "-1" even if the ip address argument is not a valid one, through the injection of some chars, ex: <?php for ($i=0; $i<=255; $i++) { echo $i.":".ip2long("1.1.1.1".chr($i)."'or'a'='a'/*")."\r\n"; } ?> when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or chr(32) it gives the following (valid) result: 16843009 in minibb case this could result in sql injection, f****ng an header like this: X-FORWARDED-FOR: 1.1.1.1[CHR(9)]'[SQL CODE] or even like this: X-FORWARDED-FOR: 1[CHR(9)]'[SQL CODE] (however Minibb limit the string to 15 chars so you will have an unuseful twelve chars sql injection...) also remember that HTTP headers is not filtered by PHP magic_quotes_gpc, so this could give an attacker the way to fully compromise an application code taken from MiniBB 2.0 index.php, 248-264 /* Banned IPs/IDs stuff */ $thisIp=getIP(); <--------------------- here $thisIp becomes our sql code $cen=explode('.', $thisIp); if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){ $thisIpMask[0]=$cen[0].'.'.$cen[1].'.'.$cen[2].'.+'; $thisIpMask[1]=$cen[0].'.'.$cen[1].'.+'; } else { $thisIpMask[0]='0.0.0.+'; $thisIpMask[1]='0.0.0.+'; } if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<----------- $thisIp is passed to the db_ipCheck() function $title=$sitename." :: ".$l_accessDenied; echo ParseTpl(makeUp('main_access_denied')); exit; } bb_functions.php, near lines 123-131 //---------------> function getIP(){ $ip1=getenv('REMOTE_ADDR');$ip2=getenv('HTTP_X_FOR WARDED_FOR'); if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1; //<-- vulnerable code $finalIP=substr($finalIP,0,15); return $finalIP; } //---------------> setup_mysql.php, near lines 99-105: function db_ipCheck($thisIp,$thisIpMask,$user_id){ $res=mysql_query('select id from '.$GLOBALS['Tb'].' where banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql injection banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'"); echo mysql_error(); if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE; } -------------------------------------------------------------------------------- 1.05 29/07/2006 rgod http://retrogod.altervista.org/php_ip2long.html -------------------------------------------------------------------------------- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=38248&edit=1 |
|
|
|
Linear Mode
